Zone setup for 2 vlans

openwrt 23.05-rc3
Edgerouter X

I have my vlan 1 and 3 setup with devices on each . However I am having trouble getting firewall rules to do what I want and I think it has something to do with my Zones .
They are lan(vlan 1 ) and lan3(vlan 3) . Are these zones correct ?

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'lan3'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan3'

My issue in more detail is that the following rule has no affect

config rule
option name 'no-3-to-3'
option dest 'lan3'
option target 'DROP'
option family 'ipv4'
list dest_ip '10.10.20.0/24'
option src 'lan3'
list proto 'all'
list src_ip '10.10.20.0/24'

What is your goal? That is critical for you to describe if you want to have your rules verified.

The specific rule you showed would be expected to have no effect whatseoever.

2 Likes

The firewall isn't involved when traffic is all in the same subnet. You could block traffic from vlan1 to vlan3 (or vice versa), but not between devices that are all in vlan1 or vlan3.

2 Likes

well that should be obvious "The firewall isn't involved when traffic is all in the same subnet" but it wasn't to me :}

I was trying to prevent all the 'things' on the 'thing' vlan from talking to each other .

I'm going to 'unsolve' this for a bit . I have another rule which prevents vlan3 traffic from being forwarded to vlan1

config rule
option name 'no-3-to-1'
option src 'lan3'
option dest 'lan'
option target 'DROP'
option family 'ipv4'
list src_ip '10.10.20.0/24'
list dest_ip '10.10.10.0/24'
list proto 'all

It works except in the case where a device on vlan3 connects to the main router address at 10.10.10.1
which has the the same mac as the vlan3 interface with ip 10.10.20.1

example

wlp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.20.18 netmask 255.255.255.0 broadcast 10.10.20.255

$ ping 10.10.10.4
PING 10.10.10.4 (10.10.10.4) 56(84) bytes of data.
^C
--- 10.10.10.4 ping statistics ---
12 packets transmitted, 0 received, 100% packet loss, time 11268ms

$ ping 10.10.10.1
PING 10.10.10.1 (10.10.10.1) 56(84) bytes of data.
64 bytes from 10.10.10.1: icmp_seq=1 ttl=64 time=2.01 ms
64 bytes from 10.10.10.1: icmp_seq=2 ttl=64 time=1.62 ms
64 bytes from 10.10.10.1: icmp_seq=3 ttl=64 time=2.09 ms
^C
--- 10.10.10.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.617/1.905/2.093/0.207 ms

The rule you've shown is not necessary as long as you simply don't have a forward rule from lan3 > lan. Having not seen your full firewall file, I don't know what you have there, but my guess is that this rule is unnecessary and is not the reason for the blocking of the inter-vlan connections.

This is expected. The router is responding before the routing decisions are made beause the router knows it has 2 addresses (it'll listen on both). The solution is to set the input rule to drop or reject. Often, you'll want DHCP and DNS services, so you'd then add a specific rule to allow input for those ports.

1 Like

OK. I think in my case just making the vlan3 interface unmanaged accomplishes what I want .

Thanks to all again for the help

No, it doesn't. If the interface is unmanged, the hosts connected to that VLAN won't be able to be routed.

sorry . I was thinking about the AP's

Yes, for an AP, the non-management VLAN(s) typically should be unmanaged.

so you lost me on that . what input rule ?

The zone level rule called INPUT controls access to the router from the network(s) in the respective zone.

OK . I figured out why I'm having so much trouble with all of this . I spent too many years dealing with firewalls on servers .

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.